The Anatomy of a Cyber Insurance Policy

There are hundreds of different cyber insurance policies to choose from. Add to this the fact that cyber insurers will be implementing some significant changes, and it’s easy to understand why a lot of organizations need help finding the policy that will continue to work best for them.

According to Joseph Brunsman, Founder of The Brunsman Advisory Group, there is no single cybersecurity insurance company or policy that is the best option across the board for organizations. The best policy for your organization depends entirely on your particular business.

When it comes to understanding your business needs with regards to cyber insurance, a helpful strategy includes breaking the policy down into its defining categories. This blog will explore the anatomy of a typical cyber insurance policy to give you a better understanding of how to choose the correct policy for your business needs—and meet cyber insurance eligibility criteria for that policy.

Types of cybersecurity insurance coverage

Most cyber insurance policies can be separated into two areas: first-party coverage and third-party coverage.

1^st party coverage

First-party cyber insurance covers the insured’s own financial losses that have resulted from the cyber event. In other words, these are the costs associated to you: the money your business has to pay following a cybersecurity attack or breach on your network or systems. These costs could include:

• Business interruption – The costs that result when the policyholder is unable to conduct normal business due to the cyberattack. Coverage may include loss of income and other subsequent costs.
• Cyberextortion threats – Costs associated with payment of a ransom to save the company from further damage. Ransomware is a common example of this.
• Customer notifications – Costs associated with notification and liaison with customers after a breach has occurred. Often, a third-party company must be brought in to handle this task.
• Fraud and theft – Costs that arise out of the destruction or loss of data due to theft, fraud, etc. This may include credit monitoring services or anti-fraud protection to mitigate the risk after an attack has taken place.
• Public relations – Costs associated with restoration of a business’s reputation.
• Forensic Investigation – The costs associated with the forensic investigation into the attack and the technical and legal services required to meet the standards of the presiding court.
• Loss of data and restorative work – Costs ranging from the recovery of data to the repair or replacement of equipment (ie: computers) damaged as a consequence of the breach.

First-party cyber insurance coverage is often bundled with errors and omissions insurance. It is also notable that the majority of cyber insurance claims stem from first-party losses.

3^rd party coverage

Third-party cyber insurance covers the insured for any liability actions that are taken against them following a cyber event. This could include clients, vendors, and regulators—anyone who wants money from your business due to an incident. Coverage can include:

• Attorney fees
• Settlement costs
• Payment of court-ordered damages
• Costs associated with responding to regulatory inquiries
• Government fines and penalties

Types of cyber insurance policies

As outlined by Joseph Brunsman during a BeyondTrust-sponsored Cyber Insurance Summit session on “Cyber Insurance for the Modern Cybersecurity Professional,” there are four main types of cybersecurity insurance policies. Below are the details you should know about each type of policy so you can make an educated decision about the coverage you need for your organization.

Data breach coverage

Data breach insurance can refer to a number of policies that will protect a company from financial losses as a result of a data breach. These policies include cyber liability insurance and technology errors and omissions insurance (tech E&O).

For this type of breach, your policy will need to include coverage for an attorney who can guide you forward through the network of vendors and client communications. You will also need forensics to determine the scope and nature of the breach, hacker damage coverage, credit monitoring, business interruption reimbursement, regulatory fines and penalties coverage, a PR representative or call center, and notifications. An attorney will assist with any breach notification letters because each state has different requirements, and the laws that apply to you are set by where your clients are residents, not where your business is located.

Ransomware coverage

While a number of cyber policies cover ransom money, extortion-related expenses, and repair costs, it is important to note that some insurers are increasingly exclude ransomware from their policies (according to a 2023 survey by Veeam, 21% of respondents indicated that ransomware had been specifically excluded from their policies). It is important to notify your insurer before you pay a ransom, otherwise it may not be covered.

A ransomware incident will require policy coverage for an attorney, forensics, the ransom payment, hacker damage, notifications, credit monitoring (situationally required), regulatory fines and penalties, PR and call center, and business interruption. Currently the average length of disruptions is 22 days per ransomware attack.

Loss of funds

A loss of funds scenario will require policy coverage for cybercrime, wire fraud, push payments, reverse social engineering, and social engineering fraud. It is important to note that these terms have no uniform definition that extends across insurers or policies, so you need to be aware of what the policy itself says these terms mean.

Situationally important/miscellaneous

This is the bucket everything else falls into within your cyber insurance policy. This bucket includes things like crypto-jacking, bricking, and systems failure.

The policy coverage needed for these incidents includes business interruption coverage, utility fraud, invoice manipulation, dependent business interruption, dependent system failure, media liability, voluntary shutdown, property damage, and reputational harm. Reputational harm coverage generally covers the 180 days after a cyber event during which you could lose clients. It makes up the delta in revenue pre- and post-event.

Mistakes to avoid when choosing your cyber insurance policy

Exclusions

Make sure you read and understand the exclusions to your policy. All cyber insurance policies contain exclusions to limit the insurer's risk exposure and avoid coverage for known or predictable losses. It’s important to know what exclusions apply to your policy so you can either ensure you have chosen the best policy for your organization’s needs, or so you can modify your cybersecurity infrastructure to provide better protection against incidents that may be excluded from your coverage.

As an example of what to look for, paying ransomware may be illegal depending on who your payment gets traced back to (if they are on the OFAC list), and this can lead to penalties. It’s also important to note that not all post-breach costs are insurable; know which ones you don’t have coverage for. Are there regulations within your policy on which vendors and agencies you are allowed to consult post-incident? Know who you are allowed to build into your recovery and response strategy.

Material misrepresentation

This occurs when the insured makes an untrue statement that is material to the acceptance of risk in a policy, that would have changed the rate at which insurance would have been provided, or that would have changed the insurer’s decision to issue the contract. This results in rescission of the policy—which means the contract becomes voided and there will be no coverage for any of the losses. Rescission of policy also makes it exceedingly difficult for an insured party to be covered again.

Applications

Make sure you involve all parts of your organization when filling out a cybersecurity insurance application. Answer definitive questions with definitive answers. If you don’t understand what you are being asked, seek clarity. Don’t expect the information you’ve entered to be defensible or negotiable after the incident. If you have areas of partial compliance, use addendums to clarify. Be careful.

Policy limits

Don’t test your policy limits. Make sure you understand the level of risk and liability associated with your organization and the potential cost of those risks so you can set your policy limits accordingly.

Coverage does not clear your risk register

Don’t assume that you are in the clear because you have a cyber insurance policy. Successive breaches and a high loss ratio could lead to uninsurability. A high loss ratio occurs when the insurer has to pay out more to a claim than they collect through the premium. An acceptable loss ratio falls in the range of 40%-60% of the premium. If the insurer has to pay out more, they put themselves at financial risk. You need to make sure you are working to mitigate the risks that target your organization after you sign your contract, and you also need to keep up to date on the policy changes that could impact your risk mitigation strategy to prevent your policy from becoming a financial liability to your insurance company.

What cyber insurance changes do you need to plan for?

For cybersecurity professionals to properly prepare, Brunsman says they must know what security changes are required by cyber insurance companies, and why those changes require early communication and notification throughout their entire organization. This involves knowing:

• How to minimize costly application errors that could deny coverage
• How to easily deconstruct any cyber policy to best communicate those coverages throughout the organization
• How to find the policy that best fits the needs of the various stakeholders within the business
• Changes coming to the cyber insurance industry that require prior planning and appropriate funding.

Here are the topics Brunsman urges cybersecurity professionals to be aware of as they plan their cybersecurity strategies:

• Stricter control requirements - make sure you have a plan of implementation for controls
• Insurance cut-offs for specific industries or revenue thresholds
• Caps on widespread events
• Co-insurance requirements for ransomware
• Lower limits and sub-limits across the board
• Critical vulnerability exposures - If a critical vulnerability is assessed as an 8 or greater according to the common vulnerability scoring (CVS), you have 14 days to issue or deploy a patch or you may be denied coverage.
• Old hardware and software exclusions – Supply chain issues may be causing delays in hardware and software orders. Plan ahead of time by getting on the waiting list to update your EOL hardware/software
• Monitoring remote workers - get legal council on what you are allowed to monitor
• Zero day exclusions – watch for these and look for alternative policies if you see this exclusion
• Premiums are going up - leverage controls to get yourself into the optimal category.

Tips to keep in mind when selecting your cyber insurance policy

1. When reviewing your cyber insurance policy, break the declarations page down into the four types of policies to make it easier to visualize what coverage you have and what still poses a risk. Once you’ve assessed the remaining risks, you’ll be able to compare policies to see if any can provide better coverage for your specific vulnerabilities, or internally rework your risk mitigation strategy to make sure your organization is less vulnerable to the risks your policy doesn’t cover.
2. Think about your coverage needs in terms of a scenario—what are you most worried about happening and what reimbursement rules might you have to follow? This information will help inform for which buckets your policy will need to provide the most coverage.
3. Don’t be the sole point of failure if something is not on the policy. Talk to all stakeholders and get input from all responsible parties to see what needs to be included. Different entities will have different input on what constitutes a disaster for them.

How PAM & identity security addresses cybersecurity insurance requirements

There’s a new reality in the insurance world: cyber insurance should be considered a last resort. While in the past, having insurance coverage may have meant cyberthreats posed less of a financial risk, the same isn’t necessarily true today. If an organization has no solutions on the front-end that would have blocked a negative cyber event, that organization will have to prove that they are taking steps to mitigate that same threat moving forward, otherwise the insurance carrier can and likely will deny coverage. It’s a much better idea to make your cybersecurity solutions a priority and use your cyber insurance as a failsafe.

Privileged access management (PAM) provides foundational security capabilities required by most cyber insurers. Organizations use PAM for least privilege enforcement, privileged account and credential management, and remote access security. These capabilities can help organizations prevent attacks outright and greatly reduce the damage caused by a potential breach. They are also common criteria for cyber insurance approval, whether you are trying to prove compliance with board or regulation mandates, meet eligibility requirements for cyber insurance approval, prove you are taking cybersecurity seriously so you can avoid fines, or prove your mitigation approach against future threats so you can remain insurable.

PAM solutions can also help organizations map to a cybersecurity framework—another important step in qualifying for coverage.

BeyondTrust Privileged Access Management can help you qualify for cyber insurance and even get more favorable rates—while drastically reducing your cyber risk. Download the cyber insurance checklist to start checking off the boxes on your cyber insurance eligibility, or contact BeyondTrust today to discuss your requirements.